#VU816 Denial of service in Oracle products - CVE-2016-6306

Cybersecurity Help s.r.o.

Published: 2016-10-10 | Updated: 2017-04-26

Vulnerability identifier: #VU816

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-6306

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software
Oracle Solaris
Operating systems & Components / Operating system
Oracle Linux
Operating systems & Components / Operating system
Oracle VM VirtualBox
Server applications / Virtualization software
Oracle VM Server for x86
Server applications / Other server solutions

Vendor: OpenSSL Software Foundation
Oracle

Description
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakess exists due insufficient length validation of certain TLS/SSL protocol handshake messages. By causing out-of-bounds read error attackers can trigger the affected service deny.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.

Mitigation
Update 1.0.1 to version 1.0.1i.
Update 1.0.2 to version 1.0.2u.

Vulnerable software versions

OpenSSL: 1.0.1, 1.0.2

Oracle Solaris: 10 - 11.3

Oracle VM VirtualBox: 5.0.27, 5.1.7

Oracle VM Server for x86: 3.2 - 3.4

Oracle Linux: 5 - 7

External links
https://www.openssl.org/news/secadv/20160922.txt
https://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
https://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html